How do I pass an X509 certificate through cascading https servers?
A -> B -> C -> D (browser) (web) (middleware) (db)You can only have point-to-point certificate authentication with SSL. A auths B, B auths C, C auths D. SSL has no provisions for "Tunnelling" challenges and responses across intermediate tiers. The big reason I can think of why SSL would be designed this way is that the only real concern was getting credit card numbers from end-users, and making SSL work in multiple tiers just complicated things too much. D will have to be happy with knowing that it was defintely C that connected, and will have to take it on faith that A is on the other end of all of this - because it assumes that C is trustworthy. And C assumes it is A on the other end because B is trustworthy.
So, in your back-end tier the getRemoteUser will return the identifier for a webserver user and NOT the user on the other end. You cannot authenticate to D with A's certificate, because the connection from C to D cannot get access to A's private key material. So, what we did to get around the problem is to simply have B pass on an http parameter that declares that A is the "real" user instead of getRemoteUser. A is in our LDAP, so we continue processing on behalf of user A from inside of D.